The Quest for a Small Mach-O
For my sins I have recently actually enjoyed using OS X. There is just something about its unix'ness which appeals to me (though I would rather not have to pay for it to begin with). Anyway one of the...
View ArticleThe Quest : Part 2
So the last try at making a small Mach-O binary didn't really work. Now I could start fiddling with the linker to see if I can make things smaller but I am not particularly up on my Apple linker usage...
View ArticleFun with Java Serialization and Reflection
Last year I started to have a poke at Java for security vulnerabilities, I am not really sure why, but probably because I was having some success breaking .NET and felt Java was likely to have similar...
View ArticleClik here to view.
Impersonation and MS14-027
The recent MS14-027 patch intrigued me, a local EoP using ShellExecute. It seems it also intrigued others so I pointed out how it probably worked on Twitter but I hadn't confirmed it. This post is just...
View ArticleAbusive Directory Syndrome
As ever there's been some activity recently on Full Disclosure where one side believes something's a security vulnerability and the other says it's not. I'm not going to be drawn into that debate, but...
View ArticleClik here to view.
Addictive Double-Quoting Sickness
Much as I'd love it if people who used "Scare Quotes" (see what I did there) were punished appropriately I doubt my intolerance is shared sufficiently amongst the general population. So this blog's not...
View ArticleClik here to view.
Hash Collisions of the Non-Cryptographic Kind
Recently I had a bug which required me to create a hash collision between two strings. Fortunately it wasn't a cryptographically secure hashing algorithm, it was only used in a hash table. The...
View ArticleClik here to view.
A Tale of Two .NET Methods
Sometimes the simplest things amuse me. Take for example CVE-2014-0257 which was a bug in the way DCOM was implemented in .NET which enabled an Internet Explorer sandbox escape. Via the DCOM interface...
View ArticleClik here to view.
When's document.URL not document.URL? (CVE-2014-6340)
I don't tend to go after cross-origin bugs in web browsers, after all XSS* is typically far easier to find (*disclaimer* I don't go after XSS either), but sometimes they're fun. Internet Explorer is a...
View ArticleClik here to view.
Stupid is as Stupid Does When It Comes to .NET Remoting
Finding vulnerabilities in .NET is something I quite enjoy, it generally meets my criteria of only looking for logic bugs. Probably the first research I did was into .NET serialization where I got some...
View ArticleClik here to view.
Old .NET Vulnerability #1: PAC Script RCE (CVE-2012-4776)
This is the start of a very short series on some of my old .NET vulnerabilities which have been patched. Most of these issues have never been publicly documented, or at least there have been no PoCs...
View ArticleOld .NET Vulnerability #2+3: Reflection Delegate Binding Bypass...
Reflection is a very useful feature of frameworks such as .NET and Java, but it has interesting security issues when you're trying to sandbox code. One which is well known is how much the framework...
View ArticleStarting WebClient Service Programmatically
I've been asked how you can start the WebClient service on Windows 7+ programmatically, specifically in relation to this issue. If you try and start it manually (say using the sc tool) as a normal user...
View ArticleClik here to view.
Tracking Down the Root Cause of a Windows File Handling Bug
This blog post is about a bug in the Windows Explorer shell (useless from a security perspective I believe) that I thought I'd document. I'll explain the bug then go through how I tracked down the code...
View ArticleClik here to view.
Getting Code Execution on Windows by Abusing Default Kernel Debugging Setting
TL;DR; This blog post comes from an on-site pentest I did a long time ago. While waiting for some other testing to complete the customer was interested to see if I could get code execution on one of...
View ArticleClik here to view.
Exploiting Environment Variables in Scheduled Tasks for UAC Bypass
The Windows Task Scheduler is a great place to go and find privilege escalations, it's typically abused to add SUID style capabilities to Windows in a nice easy to misunderstand package. It can execute...
View ArticleReading Your Way Around UAC (Part 1)
I'm currently in the process of trying to do some improvements to the Chrome sandbox. As part of that I'm doing updates to my Sandbox Attack Surface Analysis Toolset as I want to measure whether what...
View ArticleReading Your Way Around UAC (Part 2)
We left Part 1 with the knowledge that normal user processes in a split-token admin logon can get access to Terminate, QueryLimitedInformation and Synchronize process access rights to elevated...
View ArticleReading Your Way Around UAC (Part 3)
This is the final part in my series on UAC (Part 1 and Part 2 links). In Part 2 we found that if there's any elevated processes running in a split-token admin session on Windows earlier than 10 we...
View ArticleClik here to view.
Locking Your Registry Keys for Fun and, Well, Just Fun I Guess
Let's assume you have some super important registry keys that you don't want anyone to modify or delete, how might you do it? One way is to change the security descriptor of the registry key to prevent...
View Article